From bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 Mon Sep 17 00:00:00 2001 From: Jack Mitchell Date: Thu, 5 Sep 2019 09:35:37 +0000 Subject: iptables: add systemd helper unit to load/restore rules There is currently no way to automatically load iptables rules in OE. Add a systemd unit file to automatically load rules on network connection. This is cribbed from the way ArchLinux handles iptables with some minor modifications for OE. New rules can be generated directly on the target using: # iptables-save -f /etc/iptables/iptables.rules Good documentation for writing rules offline is lacking, but the basics are explained here: https://unix.stackexchange.com/q/400163/49405 (From OE-Core rev: 76d3574d17c38d93ba4660bdae5730ac222994d4) Signed-off-by: Jack Mitchell Signed-off-by: Diego Rondini Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/recipes-extended/iptables/iptables/iptables.rules | 0 .../recipes-extended/iptables/iptables/iptables.service | 13 +++++++++++++ meta/recipes-extended/iptables/iptables_1.8.3.bb | 17 ++++++++++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules new file mode 100644 index 0000000000..e69de29bb2 diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service new file mode 100644 index 0000000000..041316e457 --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/iptables.service @@ -0,0 +1,13 @@ +[Unit] +Description=Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb index 6ac3fc60c5..ff9fcb1b53 100644 --- a/meta/recipes-extended/iptables/iptables_1.8.3.bb +++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb @@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ + file://iptables.service \ + file://iptables.rules \ " SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513" SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80" -inherit autotools pkgconfig +inherit autotools pkgconfig systemd EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}" @@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so" ALLOW_EMPTY_${PN}-modules = "1" +do_install_append() { + + install -d ${D}${sysconfdir}/iptables + install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir} + + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service +} + +SYSTEMD_SERVICE_${PN} = "iptables.service" + RDEPENDS_${PN} = "${PN}-module-xt-standard" RRECOMMENDS_${PN} = " \ ${PN}-modules \ -- cgit 1.2.3-korg